I have always used a local DNS server to reach my server that are on NAT from the Internet.
Its simple and works very well.
So if my webserver is video.myserver.com with local IP 192.168.100.50, it will have a public DNS record for external users to pint to 82.xx.xx.xx and a local DNS entry to point to 192.168.100.50.
One line (DNS) to add for each services, No change in any NAT rules
When you setup Hairpin NAT and have a dynamic IP on the outside, you do need to use the Cloud function (or other dyndns system) and change all your NAT setup to get it to work.
Example video: https://www.youtube.com/watch?v=_kw_bQyX-3U
Also found this good comment by thirdstreetzero on reddit:
It breaks all kinds of fundamental standards and norms, not to mention statistics, security, things like fasttrack, etc. It makes transitions away from your current configuration more difficult. It’s impossible for future people to interpret, as it shouldn’t be done and without adequate explanation can often require a confusing mess of other work, especially if you’ve got any queues or packet mangling.
Imagine wanting to go into your living room, but to do so you need to go out the back door, around the block, and in through your front door. If that seems too much of an exaggeration, draw out what you are planning on doing using networking nomenclature. It’s equally silly. Your problem, if you state it properly, is that you are not addressing the resource in a way that allows you the shortest path to it. So the problem is how you address it, not how you access it. Once you have accepted that, you can move to the next problem, which is ubiquitous access methods. You don’t want to think about where you are, or what network you’re on, in order to access the resource. Clearly using the local IP won’t work, since that won’t work outside the network. Luckily, we have a solution in DNS. Now all that’s left is to configure a local DNS server to handle requests from within and around the local network, and configure your external DNS to do the same.
Edit:
People use meth to escape their shitty lives. People speed in their cars because they can’t manage their time well. People don’t pick their dogs shit up because they’re lazy. This is similar - people that have no idea what they’re doing have created a solution to a problem they don’t understand. This was made worse for a long time by shitty router manufacturers that included (and still do include) options to implement this specifically, because it quickly satisfies, as you said, a common problem. That does not mean it’s correct. It isn’t. You have literally everything you need on any ROS device to handle this problem correctly, without ever using hairpin NAT.
Anyone has a comment to this?
Any good reason for using Hairpin NAT other than you do not have a local DNS server?
Not sure what your post means?Why not to use? Anyways, with DNS you can only do single internal host, if u need multiple ips to work with DNS name inside ur network u simple must use hairpin.
For example how would you access 3 different IPs via dns name ?If you add static entry for like mydomain.dyndns.org to 192.168.1.50 (Some server), what if i need access to 192.168.1.51 also but another port?If i hit mydomain.dyndns.org it will again point me to first one 192.168.1.50.
With hairpin you can do this for example different ports go to different internal IPS and PORTS.
I do use HAProxy to handle all my server/web server. This way I only need to point port 80/443 from outside to one IP. On inside, I do point all DNS to HAProxy server. It then sends it to correct server.
Meaning with post was to get a discussion about Hairpin nat, why, why not use.
Just think about going IPv6 … no NAT there. So HairpinNAT really is an obscure solution to a specific problem … and use case of @ivicask is just further exagerated misuse.
Quite a few times people requested full-featured DNS server for ROS … and excuse is that they’ve got super-duper CCR1072 sitting in the comms closet and that it should be fit to perform those duties as well. I guess those people use their super-size wheel loaders for drift racing and container loading as well? People should use proper tools for particular job, that’s all.
Now im confused, so please tell me, how do i reach my various internal IP addresses via same dns host name from both outside and inside of network if not via hairpin?
When someone on the internet asks for your server web.myserver.com on inernal ip 192.168.10.50 he asks a public DNS and gets a public IP 85.12.134.20 (sample IP) that you have registered to an public DNS server.
Then when you are on the internal net, you will use the DNS server you get from your DHCP server. That should not be google or other public DNS, server, but your DNS server. There you will get local IP 192.168.10.50. So you access your internal server directly without passing trough your router.
What your suggesting is nightmare, i have single public dns name and i can access everything in my and other companies while im in the local network or outside.
Example?I need acces to 3 servers RDC.
192.168.50.50 external port 3000 internal 3389
192.168.50.60 external port 4000 internal 3389
192.168.50.70 external port 5000 internal 3389
Than i have video recorder
192.168.50.80, 2-3 various ports for it to work.
Or i have in my phone in Video surveillance app blablab.dyndns.org (Auto uses ports it needs).
And all works, single dns name, i can acces various internal IPs and ports from outside or inside of network.
What your suggesting is unnecessary complication(and costs), i would need to have different DNS names for everything i wanna access on network, in some companies i have over 30 internal ips, which would mean 30 domains instead of one…
Besides, my question, whats actually wrong with Hairpin NAT?It doesn’t lower security as far i see it, doesn’t affect router performance(at-least in my scenarios)
But I would never open many RDP session to the internet.
Open only one RDP server and from that server connect to all other.
The less the better.
And since you do not use 3389, this is just for your admin use and not a generic solution so you with ease handle many dns name as you would handle different ports.
Anyone has a comment to this?
Any good reason for using Hairpin NAT other than you do not have a local DNS server?
[/quote]
I have.
I use hairpin NAT out of necessity. Don’t get me wrong: I hate all things NAT with a passion. One one the best things of IPv6 is the possbility of killing NAT. One can always dream.
Anyway.
I host several game servers, on my home connection. When someone joins the match, it does so by browsing the Steam list of available games. I have to do it too - it’s just how it works. So, I join a game on my external IP - coming from my intranet. Without hairpin NAT it doesn’t work for me. Simple as this.
So, no. Just because it doesn’t fit Your use case it doesn’t mean that it is wrong to use.
Even for a small company dealing with around 30 identities it is tricky and sometimes impossible to force all people to use our internal DNS, as there are different use cases:
cloud servers connecting to server through VPN need stable addressing
road warriors
teleworking
VPN accesses
Also, as Paternot commented, sometimes addresses are coming from different sources than DNS.
Hairpin NAT is complicated and brings its own problems, but sometimes is the only way to have a smooth user experience when you arrive to the office with your laptop for half an hour, and then go to a café to keep working using VPN…
I agree that IPv6 is greatly simplifying all of this, while forcing us to tighten our security requirements on computers and people re: password strength and service exposure…
Thank you for this post. I did the exactly this, I was overthinking it and I really have no idea why.
I have an internal DNS server at home (Pi-Hole) that I use so I just added the entries for my domains in there and it worked.
No need for crappy HairpinNAT so thank you!
Firstly, thank you for linking my video
I use home.mydomain.com for getting into certain things remotely and from home. These are differentiated by port number. I can’t do that with internal DNS so it suits me quite well. I shared what I found as I initially had a lot of problems getting a hairpin NAT to work.
The post by thirdstreetzero is another prime example of why I love MikroTik so much. There are multiple ways of doing the same task, there is nothing to say who is correct or who is not or even who is more correct. Take a look at the comments in my video, there are a lot of people who have identified the need for a solution for the niche problem and have been very successful following my advice.
The bit about going round the block I don’t fully agree with, ultimately the client needs to get somewhere so it queries the router where to go, router either says go down this cable it’s on my LAN or it says goes down this cable it’s on my LAN. I understand where the comment is coming from and why and can vouch for it never having caused me any queuing problems, mangling problems, security issues or even fasttrack problems.
Each to their own but if it triggers people so much that their solution is better because mine is not needed then maybe they should help others with that knowledge, make a YT video, title it MikroTik Hairpin NAT and then supersede me at the top of the search list? (That comment isn’t intended as being arrogant although it may read that way).
So I missed this thread when it was new, but it’s not too late to disagree now - hairpin NAT is awesome!
Ok, that was just to even things out a little. Reality is that haipin NAT should be unnecessary and by long time obsolete hack from old IPv4 + NAT times that were supposed to end years ago. Unfortunately, since the world is clearly not as excited by IPv6 as I’ve been for last ~18 years (well, I’m not sure if I’m still excited, but that’s another matter), we’re still living in IPv4 + NAT times and things got only worse.
Hairpin NAT, even though it’s still hack, is simple, foolproof and elegant way how to solve many problems. It’s one single srcnat rule. You set it once and you can forget about it. It will transparently work with anything, any hostname, even without DNS, no future changes necessary. How can anyone not like it?
There’s one downside, packets from LAN to public address on router, from which ports are forwarded to internal server in same LAN, will take unnecessary trip there and back to LAN. So if you expect heavy traffic, you better go with internal DNS. But that’s it.
I do agree Hairpin NAT is a good thing.
But if you do have an internal DNS server (separat or on your MT Router), its just one line to add to the DNS so it goes to internal IP instead of external IP.
So its one line to configure Hairpin NAT and one line to configure DNS. Select what does works best for you
